Speech by SEC Staff:
Annual Conference on Capital Management of the Risk Management Association and Professional Risk Managers' International Association

by

Ethiopis Tafara

Director of the Office of International Affairs
U.S. Securities and Exchange Commission

New York, NY
November 9, 2004

Thank you, David.

And thank you, ladies and gentlemen, for inviting me here to address the RMA-PRMIA annual conference on Capital Management.1

Risk and Securities Regulators

I must admit that I was surprised when David first asked me to speak at your conference. After all, risk assessment typically is thought of as something undertaken by market participants, not market regulators.

Of course, the Securities and Exchange Commission has always taken a keen interest in risk. Managing reputational, legal, operational and economic risk plays an important part in SEC regulation of financial institutions. And, at their heart, US securities laws and regulations are predicated on the idea that, given sufficient information, investors are best able to assess investment opportunities and make decisions that best align with their own tolerance for risk.

However, until recently, we securities regulators had not explicitly thought of our own regulatory and enforcement programs in the language of risk assessment - even where it is obvious that risk assessment is what we have been doing for quite some time. So, as David very astutely noted at a recent conference of the International Organization of Securities Commissions, the truth is we are all risk assessors now. Securities regulators function in the same world that investors, issuers and capital managers do - a world of finite information and finite resources. Making the best use of the information and resources we have in the face of uncertainty is our ongoing task, just as it is yours.

Explicitly recognizing these facts is not difficult, even though the language of risk assessment is occasionally jarring to some of us. The popular media tends to view much of the SEC's work in black-and-white terms - lawsuits filed against obvious bad-guys, and regulations promulgated to address clear problems. And even those of us with an inside-view don't publicly dwell on the uncertainties and resource choices that underlie SEC policies once difficult decisions are made. After all, many of us are lawyers, and good lawyers are taught early to never publicly ask questions where the answer is in doubt.

Nonetheless, recent financial scandals and a changing global capital market have underscored the relentless logic of David's observation. There are close to 15,000 public companies in the United States today, with a market capitalization of more than $14 trillion. More than half of all households in the US are invested in our capital markets, either directly or through mutual funds or pension plans such as 401K's.

And the cross-border aspect to our capital markets has exploded. More than 1300 foreign companies are listed on US stock exchanges today, three times as many as in 1991. American retail investors now hold $2 trillion worth of foreign securities - nearly 10 times the amount they held just over a decade ago. Globally, cross-border equity flows now exceed $300 billion per year, 20 times what it was in 1990.

When something goes wrong in this enormous, fast-growing global market, people notice. Whether the crisis takes the form of a liquidity crunch in a developing market, massive fraud that bankrupts a major company, or a terrorist attack on a major financial center such as we saw on September 11, the interconnected nature of our markets means the pain is widely shared.

The Risks Regulators Face

And what are the risks financial regulators face in this brave new world of global capital markets? In many cases, these risks are a reflection of the risks faced by industry.

Risk, at its most basic, is about uncertainty. And, in a world of finite resources, risk management means identify the uncertainties with which we can live with, and those with which we can't. As securities regulators, the risks on which we focus most heavily are those that threaten investor protection and the integrity of our markets.

Market integrity and investor protection are not at all the same things as market stability or protecting investors from all harm. A willingness to assume some risk is a necessary component of our entire financial system. Securities regulation is not designed to be an insurance policy against speculation. It is not meant to eliminate uncertainty. Rather, investor protection and market integrity are about providing investors a fair shake in appearance and reality. It means providing investors with all available material information they need to make an investment decision. It means warning investors where uncertainties exist. And, most importantly, it means deterring fraud.

Issuer-Specific Risks and Disclosure

To a degree, the job of a securities regulator is to help manage precisely those risks that investors and markets are unable to manage on their own. A recent poll of senior executives and investment professionals [by a commercial insurer] found that 69 percent viewed threats to their property and supply chains as the most significant threats they face.2 By contrast, only one percent considered terrorism a significant threat, and only three percent most feared managerial fraud. This makes sense. Property and supply chain risks are very real dangers. In a world of Just-In-Time production processes, an earthquake in Japan, a hurricane in Florida, or quality control problems at a production facility in Europe can have a devastating impact on suppliers and customers alike.

Investors care about such risks. But they can adjust for them. Provided investors are aware of these risks through proper disclosure by issuers of known and reasonably anticipated risks- investors can diversify their portfolios. They can reward those issuers that have better risk management policies and procedures with a lower cost of capital, and charge a premium where risks are unreasonably high.

With these types of risks, the regulators' job is not to manage investor risk. Our job is to enforce high quality disclosure and accounting standards, so that investors can understand the risks of an investment and compare risks between issuers and across industry sectors. And, in an ideal world, they could draw comparisons between issuers in different countries as well as in different industries.

Prudential Risk

Other risks, however, are more difficult for investors to cope with. Or, to be more accurate, investors can adjust for these risks, but only at a cost to economic efficiency. Such risks, for example, include intermediary operational risks, such as have been discussed earlier today. For the most part, investors may be unable to peer into the operations of broker-dealers and other intermediaries, to make themselves comfortable that the firm has proper risk-management procedures in place.

Firms obviously wish to protect their reputations and thus have an incentive to maintain adequate capital reserves, insurance, and risk-mitigation plans. But where competition is high and transparency is low, firms may be hard-pressed at times to maintain adequate reserves and properly fund the risk management function. And if a competitor "cheats" and pays only lip-service to risk management, while systematically ignoring this function, other firms may be at a serious competitive disadvantage. The regulator's job is to help maintain a level playing field, so that firms are not pressured to skimp on this area.

You may argue, of course, about whether regulators get the details right. But, absent prudential oversight, investors will be left to their own devices. They will charge their own risk premiums - self-insure, as it were. And the premium is money that everyone - investors, intermediaries and issuers alike - would prefer be put to more productive uses.

Risk of Fraud

A more prominent risk investors look to regulators to help manage, obviously, is the risk of fraud and the expropriation of their assets by managers or dominant shareholders. As far back as the early 1930s, when Adolf Berle and Gardiner Means first characterized the modern corporation by the separation of ownership and control, the moral hazard this situation creates has perplexed governments, issuers and investors alike.

Aggravating the situation is that these risks are not so easily quantifiable or disclosed. I am not aware of a country where expropriation of minority shareholder by management or a controlling shareholder is sanctioned. But as you might expect risks of fraud and managerial malfeasance, by their very nature, tend not to be disclosed.

Indeed, despite laws against fraud on the books, the risks of fraud are real. And even where the likelihood of fraud is small, securities regulators are concerned about the threat because the potential damage is so great. This is because the damage is not limited to just the defrauded shareholders. It's a threat to the system. Although I believe Professors Berle and Means underestimated how laws and regulations can help address the conflicts of interest that arise from the separation of corporate ownership and control - they wrote, after all, two years before the SEC was created - they nonetheless recognized what a worst-case scenario looked like. They called it "exploding the atom of property" that "destroys the basis of the old assumption that the quest for profits will spur the owner of industrial property to its effective use."3

This sounds dire, but we well know what happens when investors seriously question the integrity of a market. We see this in developing stock markets around the world. Absent effective regulation and laws protecting property rights, investors look to other means to protect themselves against fraud and expropriation. They may charge a risk premium for their investment. They may demand that their investments be secured by property, or they may insist on representation on the board of directors and direct oversight of managerial operations. And they may not invest directly in domestic issuers at all.

None of this is optimal. Stock markets that are viewed as little more than crooked casinos are not good places for companies to raise capital. Everyone suffers as a result. Companies pay more for capital and are not able to grow as fast as they otherwise could. Fewer jobs are created. And investors enjoy smaller returns and pension funds do not ensure as comfortable a retirement for us as we might hope.

Recent SEC Activities to Identify and Address Risks

These are some of the risks we regulators worry about. The potential harm we face if we fail is much greater than just having to answer a few embarrassing questions by the press. But harm is only one part of the risk calculus. A very sizable harm may still be a small risk if the chances of it occurring are remote. In fact, I often hear critics charge that the Sarbanes-Oxley Act and recent SEC regulations are an overreaction - that, despite recent events, a real threat to investor confidence is highly unlikely.

This reminds me of a story I heard about a Soviet statistician who refused to join his colleagues in the Moscow air raid shelters during the German bombing campaign in 1942. He would say that there are seven million inhabitants in the city of Moscow - what are the odds the Germans would get him in particular? Then one day his friends see him rush into the shelter during a raid, looking pale as a ghost. They asked him what on earth happened that would cause him to change his mind. He replied, "There are seven million people in Moscow, and one elephant. Last night they got the elephant."

You'll forgive regulators if we feel the same way. The odds of investors losing confidence in our markets may be small, but - after Enron, Worldcom, Tyco, Hollinger, emails from securities analysts referring to recommended securities as "dogs," and market-timing and late-trading abuses at mutual funds - we feel "they got the elephant."

Recent regulatory reforms

Some of what the SEC has done to address risks to our capital markets is well-known.

Even prior to Enron and the passage of Sarbanes-Oxley, the SEC stepped up its enforcement program and began looking into securities analyst conflicts of interest and auditor independence. Over the past two years, the SEC has helped set up a new auditor oversight body - the Public Company Accounting Oversight Board under Bill McDonough - that is designed to protect the quality and independence of the accounting and auditing professions.

The SEC has also undertaken reform of how self-regulatory organizations such as the NASD and New York Stock Exchange are governed. SROs play a critical role in our financial system, as standard setters for listed issuers, operators of trading markets, and as monitors of trading activities. Some of the reforms the SEC has already approved include a proposal that would help insulate the New York Stock Exchange's regulatory functions from potential conflicts of interest posed by its business function.

The SEC is also reviewing the structure of our national market system. The proposed Regulation NMS includes a broad set of ideas designed to improve how our markets operate and address a number of risks - such as ensuring competition between exchanges and alternative trading platforms, making transaction costs more transparent, and promoting technological innovations, all while trying to ensure that investors are offered the best price with the quickest execution.

Enforcement

The SEC, from its very beginning in 1934, has also recognized that rules without enforcement are a recipe for disaster where investor confidence and market integrity is concerned. Over the past two years, in response to the numerous high-profile securities fraud cases in the United States and abroad, the SEC filed more than 1300 enforcement actions. We have obtained court orders for nearly $5 billion in penalties and disgorgements where violations of federal securities laws have occurred.

For many in industry, our response may seem draconian. But, as I mentioned, the risks to market integrity was great and a dramatic response was demanded. When it comes to its regulatory program, the SEC recognizes that public and industry input is essential. We listen to the concerns of those in the trenches and to those who actually have to live by the rules we set up. But when it comes to enforcing our securities laws, protecting investors, and guarding the integrity of our market, we are relentless. And I think the fact that, over the past seventy years, our capital markets have grown to be by far the largest and most dynamic in the world is testament that this approach works.

SEC Risk Infrastructure

Finally, under the leadership of SEC Chairman Bill Donaldson, the SEC has also undertaken reforms to its own internal operations to better identify and address risks to our organization and our markets.

This past year, the SEC created an Office of Risk Assessment and a program within the SEC's individual divisions and offices to help identify risks from the bottom-up. This new office, led by Charles Fishkin, whom many of you may know, has already been successful in generating among the SEC staff something of an embryonic risk assessment culture. Staff is encouraged to identify and report possible market risks and weaknesses that they come across in their day-to-day work. The Office of Risk Assessment acts as a junction between the SEC's offices and divisions where this information is collected, trends are identified, and possible responses coordinated. It also intends to play a role in developing best practices for risk management for the corporate and financial sectors.

Addressing Risk in a Global Market

However, as I mentioned when I began my remarks, US capital markets no longer operate alone in a bubble - if they ever did. The financial scandals that struck the US in 2001 did not stop at our borders. Our colleagues in Canada, France, Italy, Britain and the Netherlands have experienced similar problems.

And, as the Parmalat scandal in Italy demonstrated to any doubters, the globalized nature of capital markets today makes financial fraud an international problem. Parmalat, as you may know, is an Italian company, traded on the Milan stock exchange, with operations throughout the world. A year ago this past December it came to light that, despite claiming in its annual reports that it had billions in assets and hundreds of millions worth of cash reserves, it was essentially bankrupt. It's audited financial statements were fraudulent. A letter from a bank to auditors attesting to accounts flush with cash was a cheap forgery. Shell companies in the Cayman Islands were used to disguise losses from acquisitions in Latin America. And hundreds of millions of dollars in company assets were transferred to entities owned by the controlling family. Defrauded investors can be found all over Europe, Asia, Australia and North and South America. It was, as one of my Italian counterparts likes to say, an international fraud.

As the Parmalat case and others like it demonstrate, the risks for regulators that I've outlined above are even more complicated in the international context. The risks issuers face are more complicated - risks posed by different suppliers and customers, by fluctuating exchange rates, by political risk, etc. These risks must be disclosed. But how does a regulator assure adequate disclosure when subsidiaries are audited by audit firms licensed and operating abroad? How do regulators approach prudential oversight for intermediaries with significant operations in different jurisdictions? When fraud occurs, how can regulators prosecute the fraud if the evidence and proceeds of the fraud are located in other countries? What's more, how can securities regulators around the world ensure that their own jurisdictions laws are enforced without creating layers of overlapping and even contradictory regulations that end up stifling the very markets we are trying to protect?

In the face of these risks, the SEC and our counterparts overseas have developed innovative and cooperative approaches to solving these problems.

The SEC's Office of International Affairs was created in 1989 to address just these issues. Over the past decade, the SEC, through our office, has negotiated and signed more than 30 memoranda of understanding with other securities and financial regulators around the world. These MOUs not only lay out a mechanism by which we and our counterparts collect and share enforcement-related information such as bank account records and testimony, but they establish a baseline of a relationship that has proven useful in many other contexts.

These relationships, buttressed by membership in organizations such as the International Organization of Securities Commissions, were vital in the immediate hours after the terrorist attacks on September 11. Securities markets around the world halted trading and regulators needed to coordinate with each other on issues such as clearance and settlement, creating liquidity and ensuring that vital components of our financial infrastructure were intact.

The shock of September 11, and the coordination among securities regulators that followed, has itself led to one of the most significant international mechanisms for strengthening international capital markets against financial fraud. In 2002, IOSCO created a Multilateral MOU through which signatories pledge to share enforcement information with all other signatories. This Multilateral MOU goes beyond just information-sharing because it creates a benchmark for cooperation that potential signatories must prove they meet before being permitted to sign. IOSCO also created an ongoing monitoring mechanism to ensure that signatories live up to the terms of the agreement.

In the two years since its inception, the IOSCO Multilateral MOU has proven extremely successful. Currently, there are 26 signatories - many of whom are regulators from developing markets that only recently did not have the legal authority to provide assistance to their foreign counterparts.

Through its membership in IOSCO and other organizations, the SEC has also worked to develop ways to manage other international regulatory risks as well. For example, most of you have heard that last year the SEC, the Attorney General of New York, and many state securities regulators agreed to a settlement with 10 of the largest investment banks regarding conflicts of interest affecting their securities analysts. Concerns about securities analyst conflicts of interest, however, are not limited to the United States. Because different regulatory approaches to this issue could create opportunities for "regulatory arbitrage" - where lax rules in one jurisdiction would undercut more stringent protections in another - IOSCO developed a set of regulatory principles for addressing these conflicts of interest. These principles are broad and can be implemented in a variety of ways, depending on the legal and market structure of each country. However, the objectives underlying each of these principles must be met. And IOSCO plans to assess its members' implementation of these principles in the near future.

Similarly, the SEC is currently leading an IOSCO task force to develop a code of conduct for the credit rating agencies. In this case, not only have securities regulators worked closely to develop a mechanism by which the independence and quality of credit ratings be protected, but we have also worked closely with the other major regulatory users of credit ratings - the Basel Committee and the International Association of Insurance Supervisors.

In other areas, the SEC has worked closely with other regulators through different international organizations to create regulatory principles for MD&A disclosure, oversight of the auditors, auditor independence, corporate governance, combating money laundering, and client identification and beneficial ownership requirements for broker-dealers and other market intermediaries.

In each of these cases, the goal is two-fold: to make sure there are no cracks in the regulatory oversight of a global market watched over by national-level regulators; and to help coordinate policies so unnecessary and conflicting regulation can be avoided.

A prime example of this is the current accounting standards convergence work being undertaken by the US Financial Accounting Standards Board and the International Accounting Standards Board. From a securities regulator's perspective, accounting standards should do two things: paint an accurate picture of an issuer's financial condition, but also allow investors to draw comparisons between different issuers. Obviously, an international set of accounting standards would, theoretically, allow investors to compare investments in different countries. But it would also facilitate cross-border listings, because an issuer listing in a foreign jurisdiction would not have to reconcile its home-market accounting standards to those used in the other country. However, as any accountant can tell you, accounting standards are complicated. And, while great progress towards convergence between US Generally Accepted Accounting Principles and International Financial Reporting Standards is being made, this remains a long-term process.

The SEC, along with other US financial regulators, is also engaged in an ongoing dialogue with the European Commission to discuss regulatory issues of mutual concern and enhance each other's understanding of the other's regulatory system. The eventual goal of this dialogue is to further explore areas of regulatory cooperation and convergence.

Among the issues discussed with the European Commission most recently were the potential effects of the European Union's Financial Conglomerates Directive on US global securities firms operating in Europe. In part, in response to this directive, the SEC released two rule proposals to create voluntary processes for group-wide supervision of broker-dealers and their affiliates, allowing the Commission to supervise broker-dealers on a consolidated, group-wide basis. Related to this dialogue, the SEC has also entered into a discussion with the Commission of European Securities Regulators, in light of the role this body plays in developing European Union securities laws and policies.

Conclusion

In conclusion, the risks financial regulators face in today's global capital market are daunting. And the costs of failure may be very high. Fortunately, however, through cooperation, coordination, and dialogue, I believe we have at hand the tools to help manage these risks. It is a learning process. And we in government certainly will look to you professionals in this field because you are both our partners in managing risks to the integrity of our markets, and teachers in ways to assess and a manage risk in our own work. But, by explaining to you how we securities regulators view and manage risk, I hope you, in turn, will be in a better position to offer us your own insights into this ongoing process.

Thank you.

Endnotes

1 The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff

2 Andrea Felsted, "Back to Basics in a Time of Danger," Financial Times (October 27, 2004).